New Android Banking Malware ‘ToxicPanda’ Targets Users With Fraudulent Money Transfers

Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions.

“ToxicPanda’s main goal is to initiate funds transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF),” Cleafy researchers Michele Roviello, Alessandro Strino and Federico Valentini said in a Monday analysis.

“It aims to bypass bank countermeasures used to enforce user identity verification and authentication, combined with behavioral detection techniques used by banks to identify suspicious money transfers.”

ToxicPanda is believed to be the work of a Chinese-speaking threat actor, with the malware sharing basic similarities with another Android malware called TgToxic, which can steal credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023.

A majority of compromises have been reported in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%), marking a rare case of a Chinese threat actor orchestrating a fraudulent scheme to target retail banking users in Europe and Latin America.

The banking trojan also appears to be in its nascent stages. Analysis shows that it is a stripped-down version of its ancestor, removing the Automatic Transfer System (ATS), Easyclick and blur routines, while introducing 33 new commands to harvest a wide variety of data.

In addition, as many as 61 commands have been found to be common to both TgToxic and ToxicPanda, indicating that the same threat actor or their close associates are behind the new malware family.

“While it shares some bot command similarities with the TgToxic family, the code deviates significantly from its original source,” the researchers said. “Many features characteristic of TgToxic are notably missing, and some commands appear as placeholders with no real implementation.”

The malware disguises itself as popular apps such as Google Chrome, Visa and 99 Speedmart and is distributed via spoofed pages that mimic app store listing pages. It is currently unknown how these links are propagated and whether they involve malvertising or smishing techniques.

Once installed via sideloading, ToxicPanda abuses Android’s accessibility services to gain elevated permissions, manipulate user input, and capture data from other apps. It can also intercept one-time passwords (OTPs) sent via SMS or generated using authenticator apps, thereby enabling the threat actors to bypass two-factor authentication (2FA) protections and complete fraudulent transactions.

The core functionality of the malware, in addition to its ability to gather information, is to allow attackers to remotely control the compromised device and perform what is called ODFwhich makes it possible to initiate unauthorized money transfers without the victim’s knowledge.

Cleafy said it was able to access ToxicPanda’s command-and-control panel (C2), a graphical interface presented in Chinese that allows operators to view a list of victim devices, including model information, location and options to remove them from the botnet. The panel also acts as a channel to request real-time remote access to any of the devices to perform ODF.

“ToxicPanda must demonstrate more advanced and unique properties that would complicate the analysis,” the researchers said. “However, artifacts such as log information, dead code and debugging files suggest that the malware may either be in its early stages of development or undergoing extensive code refactoring – especially given its similarities to TgToxic.”

The development comes as a group of researchers from the Georgia Institute of Technology, German International University and Kyung Hee University detailed a backend malware analysis service called DVa – short for Detector of Victim-specific Accessibility – to flag malware that exploits accessibility features on Android devices.

“Using dynamic execution traces, DVa further uses an abuse vector-directed symbolic execution strategy to identify and attribute abuse routines to victims,” ​​they said. “Finally, DVa (Accessibility) detects authorized persistence mechanisms to understand how malware obstructs legal inquiries or takedown attempts.”

The discovery of ToxicPanda also follows a report by Netcraft that describes another Android banking malware called HookBot (aka Hook) that also exploits Android’s accessibility services to perform overlay attacks to display fake login pages on top of legitimate banking apps and steal credentials or other personal data.

Some of the popular institutions targeted using malware include Airbnb, Bank of Queensland, Citibank, Coinbase, PayPal, Tesco and Transferwise, among others. Apart from harvesting sensitive data, a notable feature of the Trojan is its ability to spread in a worm-like manner by sending links to malware-based apps via WhatsApp messages.

“HookBot can also log keystrokes and capture screenshots to steal sensitive data while the user interacts with their device,” the company said. “It can also intercept text messages, including those used for two-factor authentication (2FA), allowing threat actors to gain full access to victim accounts.”

HookBot is offered for sale on Telegram to other criminal actors under a malware-as-a-service (MaaS) model, costing anywhere from $80 for a weekly subscription to $640 for six months. It also comes with a builder that allows customers to generate new malware samples and build dropper apps.

Update

Following the publication of the story, Google shared the below statement with The Hacker News –

Based on our current record, there are no apps containing this malware on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protectwhich is turned on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.